Ubuntu CVE Tracker

Merge ~sbeattie/ubuntu-cve-tracker/+git/ubuntu-cve-tracker:kernel-triage-bits into ubuntu-cve-tracker:master

  1. Git
  2. lp:~sbeattie/ubuntu-cve-tracker/+git/ubuntu-cve-tracker
  3. kernel-triage-bits
  4. Merge into master
Proposed by Steve Beattie
Status: Merged
Merged at revision: e509323937633969764b55c428a2d6693db06685
Proposed branch: ~sbeattie/ubuntu-cve-tracker/+git/ubuntu-cve-tracker:kernel-triage-bits
Merge into: ubuntu-cve-tracker:master
Diff against target: 116 lines (+82/-8)
2 files modified
README.linux (+78/-7)
scripts/kernel-find-fixes (+4/-1)
Reviewer Review Type Date Requested Status
Cengiz Can (community) Approve
Review via email: mp+461403@code.launchpad.net

Description of the change

This commit series does a few things around kernel cve re-triage:

- It updates the find-fixes script added by Cengiz to support configuring the location of an upstream linux git clone in the ~/.ubuntu-cve-tracker.conf file

- It renames the find-fixes script to kernel-find-fixes, to make it clear the context for which the script is intended

- It adds documentation on how to do this to the README.linux document, including how to set the git clone up to include linus' primary tree, the linux-stable tree, and the linux-next tree

- It also adds documentation on a few other tthrackers that can be useful for iudentifying fixing CVEs, including their configuration in the ~/.ubuntu-cve-tracker.conf file, as well as referencing the scripts that can use them.

Explicitly adding Cengiz as a reviewer, to make sure the renaming of the find-fixes script won't break the kernel team's workflow.

To post a comment you must log in.
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Nice, thanks

Revision history for this message
Steve Beattie (sbeattie) wrote :

> > +git clone //git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git "$linux_kernel_path"
>
> I think this is missing a leading 'https:'

Quite right, amended commit to add it (along with adding refs to
the merge proposal in the commit messages) and re-pushed the merge
proposal branch.

Thanks!

--
Steve Beattie
<email address hidden>

Revision history for this message
Cengiz Can (cengizcan) wrote :

Thank you! No it won't break any workflows. ACK.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/README.linux b/README.linux
index 5a4d90b..48dae64 100644
--- a/README.linux
+++ b/README.linux
@@ -1,14 +1,85 @@
1Distro kernels1Distro kernels
2--------------2--------------
3
3Ubuntu kernels as part of the archive are listed here:4Ubuntu kernels as part of the archive are listed here:
4https://wiki.ubuntu.com/Kernel/Dev/ABIPackages5<https://wiki.ubuntu.com/Kernel/Dev/ABIPackages>
6
7LTS HWE backport kernels from interim releases are typically not
8supported once the next LTS backport kernel is available. For example,
9once the linux 6.2 (mantic 23.10) kernel was brought back to Ubuntu
1022.04 LTS (jammy), the prior HWE kernel in jammy, linux-5.19, no
11longer receives updates. In older releases, the source package
12names were based on the release codename, e.g. linux-lts-trusty,
13linux-lts-quantal, and linux-lts-saucy.
14
15## Additional infrastructure for retriaging kernel CVEs.
16
17### Upstream kernel trees
18
19It is useful to have a reference clone of the upstream [linux] kernel,
20as well as the [linux-stable] and [linux-next] trees. Additionally,
21the `~/.ubuntu-cve-tracker.conf` file can be configured to point at the
22reference tree for researching issues using the `linux_kernel_path`
23variable. An example snippet to place in `~/.ubuntu-cve-tracker.conf`:
24
25```
26# where to find a clone of the upstream linux, linux-stable, and
27# linux-next kernel trees; see README.linux for more details
28linux_kernel_path='/path/to/git/kernel-trees/linux-reference/'
29```
30
31To set the tree up appropriately, edit ~/.ubuntu-cve-tracker.conf and
32then do something like the following:
33
34```shell
35. ~/.ubuntu-cve-tracker.conf
36git clone https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git "$linux_kernel_path"
37cd "$linux_kernel_path"
38git remote add stable https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git
39git remote add next https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
40git fetch --all
41```
42
43With this in place, the tool `scripts/kernel-find-fix` will be able to
44look up potential break commits using the Fixes: field from kernel git
45commits.
46
47[linux]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
48[linux-stable]: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git
49[linux-next]: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
50
51### Tools for identifying kernel fixes
52
53It is useful to look at some other projects to see if they have
54potentially identified fixes for kernel vulnerabilities. The three
55common ones are the
56
57- [Upstream kernel CNA repo][linux-cna]
58- [Debian's kernel security tracker][debian-kernel]
59- Nicholas Leudtke's [linux github tracker][linux-github]
60
61The latter two can be configured as references in
62`~/.ubuntu-cve-tracker.conf` for use with tools, via the
63`debian_kernel_cve_tracker` and `linux_kernel_cve_tracker` variables
64respectively. An example:
65
66```
67# path to a copy of the linux kernel cve tracker from
68# https://github.com/nluedtke/linux_kernel_cves.git
69linux_kernel_cve_tracker='/path/to/git/cve_trackers/linux_kernel_cves/'
570
6Android kernels (flo, goldfish, grouper, maguro, mako and manta) are not71# path to a copy of the debian kernel cve tracker from
7supported on the Ubuntu Touch 14.10 and earlier preview kernels.72# https://salsa.debian.org/kernel-team/kernel-sec.git
73debian_kernel_cve_tracker='/path/to/git/cve_trackers/debian-kernel-sec/'
74```
875
9LTS backport kernels from interim releases are typically not supported once the76With these configured, the scripts `kernel-triage-missing-break-fix` and
10next LTS backprt kernel is available. For example, now that linux-lts-trusty77`kernel-retriage-cve` can be used to look for CVEs where we have
11is available, linux-lts-quantal and linux-lts-saucy no longer receive official78not identified a fixing commit, but the other projects may have already
12support.79done so.
1380
81**TODO**: add support for examining the linux cna repo
1482
83[linux-cna]: https://git.kernel.org/pub/scm/linux/security/vulns.git/
84[debian-kernel]: https://salsa.debian.org/kernel-team/kernel-sec.git
85[linux-github]: https://github.com/nluedtke/linux_kernel_cves.git
diff --git a/scripts/find-fixes b/scripts/kernel-find-fixes
15similarity index 96%86similarity index 96%
16rename from scripts/find-fixes87rename from scripts/find-fixes
17rename to scripts/kernel-find-fixes88rename to scripts/kernel-find-fixes
index a5cbaf1..b8b63a0 100755
--- a/scripts/find-fixes
+++ b/scripts/kernel-find-fixes
@@ -10,7 +10,10 @@
10# USER CONFIGURATION STARTS10# USER CONFIGURATION STARTS
11#11#
12# Should be updated accordingly:12# Should be updated accordingly:
13UPSTREAM_KERNEL_DIR=~/kernel/upstream13
14[ -f "$HOME"/.ubuntu-cve-tracker.conf ] && . "$HOME"/.ubuntu-cve-tracker.conf
15
16UPSTREAM_KERNEL_DIR="${linux_kernel_path:-~/kernel/upstream}"
14KERNEL_VERSIONS='6.5 6.2 6.1 5.19 5.15 5.14 5.10 5.4 4.19 4.15 4.14 4.9 4.4'17KERNEL_VERSIONS='6.5 6.2 6.1 5.19 5.15 5.14 5.10 5.4 4.19 4.15 4.14 4.9 4.4'
15IFS=" " read -r -a kernel_versions <<< "$KERNEL_VERSIONS"18IFS=" " read -r -a kernel_versions <<< "$KERNEL_VERSIONS"
16#19#

Subscribers

People subscribed via source and target branches